From: Vern Paxson
Subject: Re: [Bro-Dev] content_gap vs. ack_above_hole
> Can somebody remind me what exactly the difference between these two
> is (and/or why we have both?).
Yeah, my fault . As best as I can tell (from revisiting the code),
content-gap is a superset of ack-above-hole. Content gaps can also occur
in situations where we're not expecting to see ACKs (for example, due to
split routing, or because we're not processing traffic from the receiver).
I think merging the two into a single content_gap event would make sense.
This should be really easy to take care of for 2.3.
Is the answer here to just remove the ack_above_hole event? I read the code a bit and it appears reasonable to do that since gaps are already being caught by content_gap. Does anyone know of any users of this event? I don't.